From: Dongliang Mu <mudongliangabcd@gmail.com>
To: Dongliang Mu <dzm91@hust.edu.cn>
Cc: Dave Kleikamp <shaggy@kernel.org>,
syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com,
jfs-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fs: jfs: fix shift-out-of-bounds in dbAllocAG
Date: Sun, 9 Oct 2022 10:00:48 +0800 [thread overview]
Message-ID: <CAD-N9QXODN4xjOg3a3chs0yxfXfAO8pY+yud0Den+1padxGoLA@mail.gmail.com> (raw)
In-Reply-To: <20220929054500.488604-1-dzm91@hust.edu.cn>
On Thu, Sep 29, 2022 at 1:47 PM Dongliang Mu <dzm91@hust.edu.cn> wrote:
>
> From: Dongliang Mu <mudongliangabcd@gmail.com>
>
> Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The
> underlying bug is the missing check of bmp->db_agl2size. The field can
> be greater than 32 and trigger the shift-out-of-bounds.
>
> Fix this bug by adding a check of bmp->db_agl2size in dbMount since this
> field is used in many following functions. Note that, for maintainance,
> I reorganzie the error handling code of dbMount.
>
> Reported-by: syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com
> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
> ---
> fs/jfs/jfs_dmap.c | 21 +++++++++++++++------
> 1 file changed, 15 insertions(+), 6 deletions(-)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index 6b838d3ae7c2..4c717f245920 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -155,7 +155,7 @@ int dbMount(struct inode *ipbmap)
> struct bmap *bmp;
> struct dbmap_disk *dbmp_le;
> struct metapage *mp;
> - int i;
> + int i, err;
>
> /*
> * allocate/initialize the in-memory bmap descriptor
> @@ -170,8 +170,8 @@ int dbMount(struct inode *ipbmap)
> BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
> PSIZE, 0);
> if (mp == NULL) {
> - kfree(bmp);
> - return -EIO;
> + err = -EIO;
> + goto err_kfree_bmp;
> }
>
> /* copy the on-disk bmap descriptor to its in-memory version. */
> @@ -181,9 +181,8 @@ int dbMount(struct inode *ipbmap)
> bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
> bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
> if (!bmp->db_numag) {
> - release_metapage(mp);
> - kfree(bmp);
> - return -EINVAL;
> + err = -EINVAL;
> + goto err_release_metapage;
> }
>
> bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
> @@ -194,6 +193,10 @@ int dbMount(struct inode *ipbmap)
> bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
> bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
> bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
> + if (bmp->db_agl2size >= 32) {
> + err = -EINVAL;
> + goto err_release_metapage;
> + }
> for (i = 0; i < MAXAG; i++)
> bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
> bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
> @@ -214,6 +217,12 @@ int dbMount(struct inode *ipbmap)
> BMAP_LOCK_INIT(bmp);
>
> return (0);
> +
> +err_release_metapage:
> + release_metapage(mp);
> +err_kfree_bmp:
> + kfree(bmp);
> + return err;
> }
>
ping?
>
> --
> 2.35.1
>
next prev parent reply other threads:[~2022-10-09 2:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-29 5:44 [PATCH] fs: jfs: fix shift-out-of-bounds in dbAllocAG Dongliang Mu
2022-10-09 2:00 ` Dongliang Mu [this message]
2022-10-10 14:13 ` Dave Kleikamp
2022-10-13 20:55 ` Dave Kleikamp
2022-10-14 8:45 ` Dongliang Mu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD-N9QXODN4xjOg3a3chs0yxfXfAO8pY+yud0Den+1padxGoLA@mail.gmail.com \
--to=mudongliangabcd@gmail.com \
--cc=dzm91@hust.edu.cn \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=shaggy@kernel.org \
--cc=syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).